MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59d84ed47893f3f3b3a3e121ffbcfa0b86bdb91431a7cd82ad3656b11d2e6697. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 59d84ed47893f3f3b3a3e121ffbcfa0b86bdb91431a7cd82ad3656b11d2e6697
SHA3-384 hash: b5e8f6ebbceed8bce81777f8f95da00b0ed9a1b17a58b52aefd6202734b664a89e84d8fa0e0c5ca6d92cf734c6027fb2
SHA1 hash: 8cc26076bfd3f126bf9acdf1062470f932fdc8a4
MD5 hash: 0526a14db5bba3be623593caeba8c7d2
humanhash: virginia-illinois-freddie-sad
File name:59d84ed47893f3f3b3a3e121ffbcfa0b86bdb91431a7c.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:802'544 bytes
First seen:2023-01-06 17:15:27 UTC
Last seen:2023-01-06 18:32:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 77bb98f8ce76d8f01342dba0bfa7f0fa (1 x Amadey)
ssdeep 12288:74WkZjji46fD35i1WJPD918b4QTBX1iNIYaL7V7yqqMl90I31prmU+g:0N0NMcPpKbN1qUGivBd
Threatray 3'042 similar samples on MalwareBazaar
TLSH T12F05BF81B620C0E4F97A01F19AB99EE4542E3EF11F1451C766C43DDA6A73AE1DC32B1B
TrID 42.7% (.EXE) Win32 Executable (generic) (4505/5/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon cc33eab08ae6f6fa (1 x Amadey)
Reporter abuse_ch
Tags:Amadey exe signed

Code Signing Certificate

Organisation:www.tomatillo.com
Issuer:www.tomatillo.com
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-06T16:04:29Z
Valid to:2024-01-06T16:24:29Z
Serial number: 30aa5a55c657789843c6b1a8c0dcf6c8
Thumbprint Algorithm:SHA256
Thumbprint: 23dea58844dcbcca9fe504199242455625e326d873f2574fea08ed7aeb3e7c7c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Amadey C2:
http://193.42.33.74/8bdSvcD/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
59d84ed47893f3f3b3a3e121ffbcfa0b86bdb91431a7c.exe
Verdict:
Malicious activity
Analysis date:
2023-01-06 17:16:12 UTC
Tags:
trojan amadey loader
Link:
https://app.any.run/tasks/36914eac-eb7a-428b-ad70-6e4ee20c3c32

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/350198/
Detection(s):
SecuriteInfo.com.Variant.Fugrafa.271013.23279.26326.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63b857530e926711fd7748d9/reports/b6e821ef-fb3d-41c2-b017-4144a291ef7a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ad7164c-2dc4-4ccc-b644-8b8187157884
Result
Threat name:
Amadey
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1146580
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Amadey bot
Yara detected Amadeys stealer DLL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 779307 Sample: 59d84ed47893f3f3b3a3e121ffb... Startdate: 06/01/2023 Architecture: WINDOWS Score: 100 45 Antivirus detection for URL or domain 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 5 other signatures 2->51 8 59d84ed47893f3f3b3a3e121ffbcfa0b86bdb91431a7c.exe 4 2->8         started        12 dcupdate.exe 2->12         started        14 dcupdate.exe 2->14         started        16 2 other processes 2->16 process3 file4 35 C:\Users\user\AppData\Local\...\dcupdate.exe, PE32 8->35 dropped 37 C:\Users\...\dcupdate.exe:Zone.Identifier, ASCII 8->37 dropped 63 Contains functionality to inject code into remote processes 8->63 18 dcupdate.exe 1 19 8->18         started        signatures5 process6 dnsIp7 39 193.42.33.74 EENET-ASEE Germany 18->39 41 85.192.63.121 LINEGROUP-ASRU Russian Federation 18->41 31 C:\Users\user\AppData\...\avicapn32.dll, PE32 18->31 dropped 33 C:\Users\user\AppData\...\avicapn32[1].dll, PE32 18->33 dropped 53 Multi AV Scanner detection for dropped file 18->53 55 Creates an undocumented autostart registry key 18->55 57 Machine Learning detection for dropped file 18->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 18->59 23 rundll32.exe 19 18->23         started        27 schtasks.exe 1 18->27         started        file8 signatures9 process10 dnsIp11 43 185.223.93.223 HOSTING-SOLUTIONSUS Netherlands 23->43 61 System process connects to network (likely due to code injection or exploit) 23->61 29 conhost.exe 27->29         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/59d84ed47893f3f3b3a3e121ffbcfa0b86bdb91431a7cd82ad3656b11d2e6697/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2023-01-06 17:16:07 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lhme5vdyspz7hm5d4eq77ph2bodl3oiuggt43avngzllchjom2lq._file
Verdict:
malicious
Similar samples:
0b0ce705253e2b6da3bb808b4a51aa1b849d2fe8181c72b10a44527b379e6359
Amadey
1486f8972308128a65b1ace2fcaa4b84e19895c16417c9a1161e57cff7f6487a
Amadey
41bbbd67f80e8b695a6dd7b7dee9ed842e30481b77fcf4770bffbe6ff603a575
Amadey
476d47c18af4d61e015964f83d97afe33f70b73d6228f83d9b0a554a49301d37
Amadey
4e1d74dc935346c30932b28a22a2e19bb734037f08ba7b4964ffabec69962629
Amadey
77b1ab36b855eb7d03cc2967f2a914c5143c2a98d8fa4ce0bce8cef88cab1d18
Amadey
7812b5f5fd710358255d8847f61729386cb982c55beb12a77e240d3377aaeafb
Amadey
f42d98e5fb7292bfc67fda6bb43bed2a33ad76e0b9f45fe78e1f29e716cf1666
Amadey
fa2c4e97ee2522063b1f580f88e9fc263acc2a45ef1952b0cef2f19969103a6b
Amadey
fc65e768418c565ae82ffd30b26aac47a07de9e83c05b32ff6eb7e9af0ba8ce8
Amadey
+ 3'032 additional samples on MalwareBazaar
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey persistence trojan upx
Link:
https://tria.ge/reports/230106-vs4xtsda3y/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
Amadey
Malware Config
C2 Extraction:
193.42.33.74/8bdSvcD/index.php
Unpacked files
SH256 hash:
b2c668eac2896934773879708ef60c20523a48ce902562aa414375fc9d06e545
MD5 hash:
48891011483b0c125e034618ee860901
SHA1 hash:
d3e3bdda73a41fd7986ed5dcd4baff4a4c9a7fbb
Detections:
Amadey
Create hunting rule
Link:
https://www.unpac.me/results/cdc676f4-4cfa-4730-b67a-1bf0a66b65f2/
Parent samples :
59d84ed47893f3f3b3a3e121ffbcfa0b86bdb91431a7cd82ad3656b11d2e6697
a0de78912e40af76c9d11128f20bcc7c431ed4a254a8a7533952b554316c5762
SH256 hash:
59d84ed47893f3f3b3a3e121ffbcfa0b86bdb91431a7cd82ad3656b11d2e6697
MD5 hash:
0526a14db5bba3be623593caeba8c7d2
SHA1 hash:
8cc26076bfd3f126bf9acdf1062470f932fdc8a4
Link:
https://www.unpac.me/results/cdc676f4-4cfa-4730-b67a-1bf0a66b65f2/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/59d84ed47893/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/59d84ed47893f3f3b3a3e121ffbcfa0b86bdb91431a7cd82ad3656b11d2e6697

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 59d84ed47893f3f3b3a3e121ffbcfa0b86bdb91431a7cd82ad3656b11d2e6697

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/350198/
  
URLhaus
https://urlhaus.abuse.ch/url/2499278/
  
Delivery method
Distributed via web download

Comments